Well, I called my original post "random speculation", so maybe I
should just shut the hell up. :) But not before one last shot at
this...
On Thu, Aug 23, 2001 at 10:23:30PM -0500, Nathan E Norman wrote:
> On Thu, Aug 23, 2001 at 11:11:09PM -0400, Mike McGuire wrote:
> > On Thu, Aug 23, 2001 at 09:31:59PM -0500, Nathan E Norman wrote:
> > >
> > > [this was getting too long. and it's not terribly intersting
> > > it is. if you've got to know, you should be able to find it.]
> >
> > b) IF you have the special superFOO deluxe masquerading module in
> > the kernel THEN you don't need ipmasq, and
>
> You're looking at it backwards. If you install ipmasq (the package),
> your kernel must have firewalling support compiled in. Otherwise the
> ipmasq package is useless.
>
> Of course, you don't _need_ to install ipmasq to use the functionality
> you've compiled into the kernel; it just makes it easier.
OK, I know that ipmasq needs kernel firewalling support. However, I
don't think I made clear there's also kernel masquerading support *in
addition* to the firewalling support... So you've got firewalling and
you want masquerading. There's a few choices:
0) kernel firewalling, write your own masq scripts w/ ipfoo.
1) kernel firewalling, use ipmasq's scripts.
2) kernel firewalling and masquerading, turn it on w/ ipfoo.
Just so you don't yell at me again ;) here's how #2 works.
(2.4.x kernel using netfilter/iptables)
(somewhere in the kernel config)
CONFIG_IP_NF_IPTABLES=m # general filtering
CONFIG_IP_NF_FILTER=m # packet filtering
CONFIG_IP_NF_NAT=m # Netwk Addr Translation
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m # special NAT module
Then to set it all up, one whole line (though this just does
the masquerading, no real firewalling, but I think that the
masq stuff was the point to this whole mess...)
: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
As I understood it, the default kernel just does filtering, and maybe
NAT. And that's all ipmasq needs to work. Perhaps the masquerading
module is just some extra feature in 2.4.x/iptables? (That could
explain most of this confusion. arg. (But then, me being completely
wrong could too. I hope that's not it. ;) )
> > [more blather]
> >
> I don't understand what you're on about with this "faster" stuff. IP
> Masq support in the kernel is ip masq support. It doesn't work
> automatically; you have to configure it. The ipmasq package does
> exactly that.
eh. When you said you'd recommend a custom kernel "especially if
you're manipulating packets", I just assumed you thought it was
faster too. And I still think the difference is that it's *not*
IP masq support in the kernel when using ipmasq; it's IP masq in
user space using the kernel IP filter support. The IP_FOO_MASQ
module I mentioned above is obviously kernel IP masq support, so
if I'm right about all that- and I hope I am- kernel code should
be faster vs. user space code.
But then, I could be wrong. Quite likely, in fact. If I am, just
tell everyone that I'm an idiot, and why, and as simply as can be
done to prevent eating away any more of their bandwidth. Now I've
got tv to watch, and I've got to throw some stuff together so I
can leave for school tomorrow, so I'm done. No more. :)
Respectfully submitted, Yours etc., and this time I quit. Really. :)
Mike McGuire
